oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled

From: Tim <tim-security () sentinelchicken org>
Date: Tue, 3 Jun 2014 08:37:26 -0700

Hi David,


Sorry for the absurdly late reply to this thread. I finally found time to do
some testing on OpenJDK 1.7.0_45. I can confirm Tomas' assessment that
setExpandEntityReferences() and
setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) have no bearing on
whether or not entity references are expanded, nor do they purport
to.


Yeah, you gotta love FEATURE_SECURE_PROCESSING.  It's just like
calling a website "secure" because it uses SSL.

I agree that these features don't purport to turn off certain
dangerous features, but to a developer who doesn't know what parameter
entities are, they could very easily assume they are safe with
setExpandEntityReferences(false).



Applications that process attacker-supplied XML using Xerces are vulnerable
to SSRF attacks unless they use both
setFeature("http://xml.org/sax/features/external-parameter-entities";, false)
and setFeature("http://xml.org/sax/features/external-general-entities";,
false).

The OWASP XXE document should be updated to mention
external-parameter-entities. I will do this as soon as my OWASP wiki account
is approved.


Feel free to use this as a reference for other thoughts on what
developers should be wary of:
  http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf

I would also be interested to hear if you think anything I mention in
there is inaccurate.

Cheers,
tim
Previous By Date Next
Previous By Thread Next

Current thread: